Windows 8.1 Black Belt Troubleshooting

WIN-B329Sami Laiho - SoveltoSenior Technical Fellow

WIN-B345

http://www.samilaiho.com/MVP Windows Expert – IT ProSpringBoard Technical Expert Panel memberSenior Technical Fellow @ SoveltoSenior Technical Fellow @ adminize.comTwitter: @samilaihoFree newsletter:

http://eepurl.com/F-GOj

WHOAMI /ALL

What makes Sami a Senior Technical Fellow?

Windows XP Deep Dive in 2001

Forgive my EnglishWhen most get Administrator or Spanish get Administradorwe get…

JÄRJESTELMÄNVALVOJA

8 against 99Language TranslationFinnish Järjestelmänvalvoja

French Administrateur

Hungarian Rendszergazda

Portuguese (Brazil) Administrador

Portuguese (Portugal) Administrador

Russian Администратор

Spanish Administrador

Swedish Administratör

You get gpedit.msc and we get…

www.wioski.comFree replacement for SteadyState

www.adminize.comGetting rid of admin rights and provide onetime admin passwordsYou never have to worry about changing local admin passwords again!

blog.win-fu.comhttp://win-fu.com/

My video based training site

Projects

After the session I’ll exchange business cards for swag

Housekeeping

Basics of OS troubleshootingPerformance troubleshootingUnbootable machine troubleshooting

Agenda

Basics of OS troubleshooting

The only logic in Windows is that there is no logicIf something is broken run Process MonitorUse a methodologyKnow when to give upDocument!

Laws of troubleshooting in Windows

Teflon-Princess

Vs

Flypaper

What are we against

Sami Laiho

Admin is not the ”Root” in WindowsProcesses can’t do ”anything”

Most common flaws in troubleshooting

What you need #1 – Good error reports!

What you need #1 – Good error reports!

Net helpmsg & winrm helpmsgCopy/Paste dialogsOneNoteSnipping toolWindows + Print ScreenPSR

Learn and teach a few basics!

Error messages

Sami Laiho

Remote Desktop and RDCMANhttp://www.microsoft.com/en-us/download/details.aspx?id=21101Only online debugging, after logon

TeamViewer http://www.teamviewer.com/I think you need hardware level remoting!

vProhttp://realvnc.com/products/viewerplus/http://blog.win-fu.com/2014/04/enabling-vpro-for-full-kvm-quick-and.html

Your own HelpDesk kit!

What you need #2 - Access!

You always need cable ties and duct tape

Sami’s Helpdesk Kit

Be creative! Use what you have!

vPro

Sami Laiho

If your computer is running BitLocker you need the recovery keyIf not or with the Recovery key you just need to Brute Force yourself in ;)

What you need #3 – OS Access

Change Windows 8.1 admin passwordSami Laiho

What you need #4 – PrivilegesAdmins can’t see everything – especially in Windows 8.1You need the SYSTEM accountShe

Has more user privileges than Administrator (even the Built in one)Doesn’t need to worry about policiesCan see stuff Admin can’tCan stop processes Admin can’tHas a higher integrity level than Administrator

Running as SYSTEM

Sami Laiho

Troubleshoot Threads!If you’re using Task Manager or otherwise looking at processes you can’t even see what’s not working…Search engines probably know the answer to your question so the real problem with them is noiseHow to get rid of noise?

Make your searches more accurate Make sure you get results from people who have at least a clue on what they’re doingLearn to diagnose threads instead of processes

What you need #5 – Correct object

Get Sysinternals tools and use Process ExplorerNeed more info?

Install Debugging toolsSet the system wide variable _NT_SYMBOL_PATH to SRV*C:\symbols*http://msdl.microsoft.com/download/symbolshttp://support.microsoft.com/kb/311503

Task manager is getting better but…

Processes vs threads

Sami Laiho

Case – Hanged virtual machineVM totally stuck…Task manager looks like this

Case – Hanged virtual machineTask Manager shows that SYSTEM is causing the problem…

Case – Hanged virtual machineProcess Explorer shows Threads!

Case – Hanged virtual machineRemoved the virtual floppy because it was pointing to a nonexistent file

In Windows Vista+ if you don’t have access to a file and you are sure you should:1. TAKEOWN.exe or Robocopy /B2. iCacls /SetIntegrityLevel

Remember to learn Integrity Levels – Most important change in Windows security that was introduced in Vista, yet hasn’t been talked about much

What you need #6 – Access to files

System

High

Medium

Low

Already built inMSCONFIGPERFMON /RESPERFMON /REL

Always addSysinternals toolsAssessment and Deployment Kit (ADK

Windows Performance Toolkit (WPT)RSATMessage Analyzer – Windows 8.1 supports Remote Analyzing!!

Always buildWindows Recovery Environment (WinRE)

What you need #7 - Tools

Info on WinREReAgentc /info

New WinRE image (WIM name must be winre.wim)

Reagentc /setreimage c:\WinRE

Boot to WinRE on next reboot:Reagent /boottore

Windows RE

Tools

Sami Laiho

Performance troubleshooting

1. Detailed error messages

What I always do to catch ”Slowness”

2. Ability to read RSOP data

What I always do to catch ”Slowness”

3. Ability to log on without logging on

What I always do to catch ”Slowness”

Logon without logging on

Sami Laiho

Test and remember that some policies are tattooed on the computerSo you need to move the computer/user to an OU that doesn’t apply policies AND run

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbosehttp://support.microsoft.com/kb/313222

You can also bypass policies ;)

Slowness is often because of policies

Block GPO’s locally

Sami Laiho

Check the logsGroup PolicyDiagnostics Service

Run WPT

If it’s policies

WPT Example #1

WPT Example #2

Performance toolkit

Sami Laiho

Unbootable machine troubleshooting

How to access boot options in Windows 8.1 – Live machine

Shift-Restart or

Same if you want to go to your UEFI!

Safemode on an unbootable machine

Unsuccessfull Boot #1 Reboot Unsuccessfull

Boot #2 Reboot Boot into WinRE

Ask the computer to go

to Advanced Options

RebootShow Advanced Startup Menu

(F8)

Choose Safe Mode SAFEMODE!!

No keyboard? + 200ms to hit the key anyway…

Safemode is configured in the registry

Why is a PC working in Safemode?

Semi-SafeMode – MSCONFIG & AUTORUNS

Manipulating Safe Mode and the NTH-syndrome

Sami Laiho

Changes in BSOD in Windows 8/8.1

HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Control\CrashControl\ CrashDumpEnabledNone 0x0Complete memory dump 0x1

Kernel memory dump 0x2Small memory dump 0x3Automatic memory dump 0x7

Changes in BSOD in Windows 10

Active Memory DumpYou can get both user + kernel space without having to dump complete memory

http://support.microsoft.com/kb/244139

Make sure you are able to crash when needed!

SFOD

Basics of BSOD analysis

Install Debugging toolsSet the system wide variable _NT_SYMBOL_PATH to SRV*C:\symbols*http://msdl.microsoft.com/download/symbols

http://support.microsoft.com/kb/311503

Use WINDBGOpen Crash Dump or DaRT’s Memory Dump Analyzer

http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx

You can manipulate the used imageCreate a refresh image

Recimg /createimage c:\Refresh\Show current image

Recimg /showcurrentSet the current image

Recimg /setcurrent c:\Refresh

Remember Wioski! http://www.wioski.com/

Reset and Refresh in Windows 8.1

”Thank you for joining!””Remember the evals!””Follow me on Twitter @samilaiho”

Windows 10http://aka.ms/trywin10

Stop by the Windows Booth to sign up for the Windows Insider Program to get a FREE Windows 10 T-shirt, whiles supplies last!

Windows Springboardwindows.com/itpro

Windows Enterprisewindows.com/enterprise

Windows ResourcesMicrosoft Desktop Optimization Package (MDOP)microsoft.com/mdop

Desktop Virtualization (DV)microsoft.com/dv

Windows To Gomicrosoft.com/windows/wtg

Internet Explorer TechNet http://technet.microsoft.com/ie

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.